Skip to content

Commit

Permalink
docs: document env-overrides* headers (#4653)
Browse files Browse the repository at this point in the history 
Co-authored-by: Brandon Duffany <[email protected]>
  • Loading branch information
@sluongng @bduffany
sluongng and bduffany authored Aug 31, 2023
1 parent 8cc54d4 commit 1f346f2
Showing 1 changed file with 58 additions and 0 deletions.
58 changes: 58 additions & 0 deletions docs/secrets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,64 @@ repository.
Workflow secrets are accessed via environment variables, in the same way
as normal Bazel actions shown above.

## Short-lived secrets

For secrets that have a short Time To Live (TTL), BuildBuddy supports setting
environment variables via special headers passed at the Bazel command line.
Headers are more secure than setting environment variables with Bazel,
as they are not stored in the remote cache.

```bash
# For simple secrets
--remote_exec_header=x-buildbuddy-platform.env-overrides=VAR_A=value_a,VAR_B=val_b

## At execution time:
> echo $VAR_A
value_a
> echo $VAR_B
val_b

---

# For more complex secrets

## First encode the secrets using base64,
## making sure to include the entire 'KEY=VALUE' pair
> echo -n 'VAR_C={"a": 1, "b", 2}' | base64
> echo -n 'VAR_D=asdfa!@#C,+{}' | base64

## then use the base64-encoded strings in the `env-overrides-base64` header, comma separated.
--remote_exec_header=x-buildbuddy-platform.env-overrides-base64=VkFSX0M9eyJhIjogMSwgImIiLCAyfQ==,VkFSX0Q9YXNkZmEhQCNDLCt7fQ==

## At execution time:
> echo $VAR_C
{"a": 1, "b", 2}
> echo $VAR_D
asdfa!@#C,+{}
```

:::note

If multiple values are given with the same variable name, the last value will be used.
If a variable is specified in both `env-overrides` and `env-overrides-base64`,
`env-overrides-base64` will take priority.

:::

These secrets will be set as environment variables at action execution time,
overriding the default environment variables on your container image as well as
the environment variables set by Bazel as part of the action configuration.

:::warning

Secrets may be cached as part of action results if not properly handled.
Avoid printing secret values to the console or storing them in action outputs.

:::

Secrets that are passed through `env-overrides` or `env-overrides-base64` headers
are not subjected to `include-secrets` control documented above.

## Security notes

Secrets are encrypted on the client-side using
Expand Down

0 comments on commit 1f346f2

Please sign in to comment.